All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core][PATCH 1/2] openssh: sync local ssh_config + sshd_config files with upstream 8.7p1
@ 2022-08-18 11:17 Jan Luebbe
  2022-08-18 11:17 ` [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd Jan Luebbe
  0 siblings, 1 reply; 5+ messages in thread
From: Jan Luebbe @ 2022-08-18 11:17 UTC (permalink / raw)
  To: openembedded-core; +Cc: Jan Luebbe

Changes are caused by the removal of deprecated options.

ChallengeResponseAuthentication was replaced by
KbdInteractiveAuthentication in the SSHv2 protocol, see
https://www.openssh.com/txt/release-8.7

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 .../openssh/openssh/ssh_config                    |  4 ++--
 .../openssh/openssh/sshd_config                   | 15 +++++++--------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803eb3..05eecb465ff0 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
+#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -36,7 +36,6 @@ Host *
 #   IdentityFile ~/.ssh/id_ecdsa
 #   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
@@ -46,3 +45,4 @@ Host *
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570a4..9c5380589013 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -57,9 +57,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
+# Change to yes to enable keyboard-interactive authentication (beware issues
+# with some PAM modules and threads)
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -73,13 +73,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 #UsePAM no
 
 #AllowAgentForwarding yes
@@ -92,7 +92,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
  2022-08-18 11:17 [OE-core][PATCH 1/2] openssh: sync local ssh_config + sshd_config files with upstream 8.7p1 Jan Luebbe
@ 2022-08-18 11:17 ` Jan Luebbe
  2022-08-18 17:31   ` Khem Raj
  0 siblings, 1 reply; 5+ messages in thread
From: Jan Luebbe @ 2022-08-18 11:17 UTC (permalink / raw)
  To: openembedded-core; +Cc: Jan Luebbe

This makes it simpler to set specific ssh/sshd config options by adding
snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
instead of modifying a copy of the full configuration file. As new
snippets can be added from separate recipes, targeted changes can be
done in multiple layers.

These specific directories are also used in Debian's default
configuration.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
---
 meta/recipes-connectivity/openssh/openssh/ssh_config  | 2 ++
 meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index 05eecb465ff0..ca70f3737596 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -17,6 +17,8 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
+Include /etc/ssh/ssh_config.d/*.conf
+
 Host *
   ForwardAgent yes
   ForwardX11 yes
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 9c5380589013..e9eaf9315775 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -10,6 +10,8 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+Include /etc/ssh/sshd_config.d/*.conf
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
  2022-08-18 11:17 ` [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd Jan Luebbe
@ 2022-08-18 17:31   ` Khem Raj
  2022-08-19  9:57     ` Peter Kjellerstedt
  0 siblings, 1 reply; 5+ messages in thread
From: Khem Raj @ 2022-08-18 17:31 UTC (permalink / raw)
  To: Jan Luebbe; +Cc: openembedded-core

On Thu, Aug 18, 2022 at 4:21 AM Jan Luebbe <jlu@pengutronix.de> wrote:
>
> This makes it simpler to set specific ssh/sshd config options by adding
> snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
> instead of modifying a copy of the full configuration file. As new
> snippets can be added from separate recipes, targeted changes can be
> done in multiple layers.
>
> These specific directories are also used in Debian's default
> configuration.
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> ---
>  meta/recipes-connectivity/openssh/openssh/ssh_config  | 2 ++
>  meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++
>  2 files changed, 4 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> index 05eecb465ff0..ca70f3737596 100644
> --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
> @@ -17,6 +17,8 @@
>  # list of available options, their meanings and defaults, please see the
>  # ssh_config(5) man page.
>
> +Include /etc/ssh/ssh_config.d/*.conf
> +
Generally looks ok.
I wonder if this increases security concerns with such blanket includes.

>  Host *
>    ForwardAgent yes
>    ForwardX11 yes
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> index 9c5380589013..e9eaf9315775 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> @@ -10,6 +10,8 @@
>  # possible, but leave them commented.  Uncommented options override the
>  # default value.
>
> +Include /etc/ssh/sshd_config.d/*.conf
> +
>  #Port 22
>  #AddressFamily any
>  #ListenAddress 0.0.0.0
> --
> 2.20.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#169519): https://lists.openembedded.org/g/openembedded-core/message/169519
> Mute This Topic: https://lists.openembedded.org/mt/93100986/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
  2022-08-18 17:31   ` Khem Raj
@ 2022-08-19  9:57     ` Peter Kjellerstedt
  2022-08-19 12:37       ` Jan Lübbe
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Kjellerstedt @ 2022-08-19  9:57 UTC (permalink / raw)
  To: Khem Raj, Jan Luebbe; +Cc: openembedded-core

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj
> Sent: den 18 augusti 2022 19:32
> To: Jan Luebbe <jlu@pengutronix.de>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
> 
> On Thu, Aug 18, 2022 at 4:21 AM Jan Luebbe <jlu@pengutronix.de> wrote:
> >
> > This makes it simpler to set specific ssh/sshd config options by adding
> > snippet files to /etc/ssh/ssh_config.d/ or /etc/ssh/sshd_config.d/
> > instead of modifying a copy of the full configuration file. As new
> > snippets can be added from separate recipes, targeted changes can be
> > done in multiple layers.
> >
> > These specific directories are also used in Debian's default
> > configuration.
> >
> > Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> > ---
> >  meta/recipes-connectivity/openssh/openssh/ssh_config  | 2 ++
> >  meta/recipes-connectivity/openssh/openssh/sshd_config | 2 ++
> >  2 files changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
> > index 05eecb465ff0..ca70f3737596 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> > +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
> > @@ -17,6 +17,8 @@
> >  # list of available options, their meanings and defaults, please see the
> >  # ssh_config(5) man page.
> >
> > +Include /etc/ssh/ssh_config.d/*.conf
> > +
> Generally looks ok.
> I wonder if this increases security concerns with such blanket includes.

If you have the permissions to add a file to /etc/ssh/ssh_config.d or 
/etc/ssh/sshd_config.d, you could just as well modify /etc/ssh/ssh_config 
or /etc/ssh/sshd_config directly.

> >  Host *
> >    ForwardAgent yes
> >    ForwardX11 yes
> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
> > index 9c5380589013..e9eaf9315775 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
> > @@ -10,6 +10,8 @@
> >  # possible, but leave them commented.  Uncommented options override the
> >  # default value.
> >
> > +Include /etc/ssh/sshd_config.d/*.conf
> > +
> >  #Port 22
> >  #AddressFamily any
> >  #ListenAddress 0.0.0.0
> > --
> > 2.20.1

//Peter


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd
  2022-08-19  9:57     ` Peter Kjellerstedt
@ 2022-08-19 12:37       ` Jan Lübbe
  0 siblings, 0 replies; 5+ messages in thread
From: Jan Lübbe @ 2022-08-19 12:37 UTC (permalink / raw)
  To: Peter Kjellerstedt, Khem Raj; +Cc: openembedded-core

On Fri, 2022-08-19 at 09:57 +0000, Peter Kjellerstedt wrote:
> > > +Include /etc/ssh/ssh_config.d/*.conf
> > > +
> > Generally looks ok.
> > I wonder if this increases security concerns with such blanket includes.
> 
> If you have the permissions to add a file to /etc/ssh/ssh_config.d or 
> /etc/ssh/sshd_config.d, you could just as well modify /etc/ssh/ssh_config 
> or /etc/ssh/sshd_config directly.

This was my thinking as well.

Thanks,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-19 12:37 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-18 11:17 [OE-core][PATCH 1/2] openssh: sync local ssh_config + sshd_config files with upstream 8.7p1 Jan Luebbe
2022-08-18 11:17 ` [OE-core][PATCH 2/2] openssh: add support for config snippet includes to ssh and sshd Jan Luebbe
2022-08-18 17:31   ` Khem Raj
2022-08-19  9:57     ` Peter Kjellerstedt
2022-08-19 12:37       ` Jan Lübbe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.